WSUS GPO

From Help
Jump to: navigation, search

There are three GPO sections that need to be enabled to get WSUS working in your environment.

Return to Main Page

Prerequisites

  • You will need to define an AD group for each set of clients. This normally is something like:
    • Servers: Servers that WSUS will update
    • Clients: End-user devices that WSUS will update
    • Roaming: Roaming devices like laptops that are not always connected to the network and may require different settings
  • Domain Controller
    • These need to be defined on the Domain Controller that the machines authenticate to.

Return to Top

Computer Configuration > Windows Update policy settings

  • Allow Automatic Updates immediate installation: Enabled
  • Allow non-administrators to receive update notifications: Enabled
  • Allow signed updates from an intranet Microsoft update service location: Disabled
    • If Enabled, you will need to install a certificate for the WSUS server in the local computer's "Trusted Publishers" certificate store.
  • Automatic Updates detection frequency: Enabled
    • Depending on the level of patching security needed, this may need to be set lower than 24 hours.
  • Always automatically restart at the scheduled time:
  • Disabled (Clients and Roaming)
    • If your end-users are reluctant to do restarts and this is affecting your organizations patching policy, you may need to set this to Enabled on Client devices. Always inform your users that their computers will be automatically restarted so they are prepared and know they need to always save their work at the end of the work day.
  • Enabled (Servers)
    • Check on your Organizations Best Practices for this, however it is a good idea to have servers automatically restart to apply Updates to keep them secure.
  • Configure Automatic Updates: Enabled
    • If this is not set, none of these other settings will actually be applied.
    • Clients and Roaming: Option 3, Auto download and notify for install, is the default setting and is usually Best Practice.
    • Servers: Option 4, Auto download and schedule the install. You can set the time here or checkbox "Install during automatic maintenance" and configure this in the next section.
  • Delay Restart for scheduled installations: Enabled
    • If this is set to some Not Configured or Disabled, the default 15 minutes will still be applied in the popup
    • Best Practices dictate this needs to be given a large window for devices; something at least 4 hours (240 minutes) for Clients and 8 hours (480 minutes) for Servers if the Servers are not set to Auto download and install in Configure Automatic Updates
  • Do not adjust default option to “Install Updates and Shut Down” in Shut Down Windows dialog
    • If you enable this policy setting, the user's last shut down choice (for example, Hibernate or Restart), is the default option in the Shut Down Windows dialog box, regardless of whether the Install Updates and Shut Down option is available in the What do you want the computer to do? menu.
    • Note: This policy setting has no impact if the PolicyName > Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update > Do not display ”Install Updates and Shut Down” option in Shut Down Windows dialog policy setting is enabled.
  • Do not display “Install updates and Shut Down” option in Shut Down Windows dialog: Enabled
  • Enable client-side targeting: Enabled
    • This is the setting where you specify Servers, Clients, Roaming, etc.
  • Enabling Windows Update Power Management to automatically wake up the computer to install scheduled updates: Enabled
    • Depending on your Best Practices for Clients and Roaming
    • The computer will automatically wake only if Windows Update is configured to install updates automatically. If the computer is in hibernation when the scheduled installation time occurs and there are updates to be applied, Windows Update will use the Windows Power Management or Power Options features to automatically wake the computer to install the updates. Windows Update will also wake the computer and install an update if an installation deadline occurs.
    • The computer will not wake unless there are updates to be installed. If the computer is on battery power, when Windows Update wakes it, it will not install updates and the computer will automatically return to hibernation in two minutes.
  • No auto-restart with logged on users for scheduled automatic updates installations: Depending on Best Practices
    • Clients and Roaming: Enabled
    • Servers: Disabled
  • Re-prompt for restart with scheduled installations: Depending on your organization's Best Practices
    • Clients: at least 4 hours (240 minutes)
    • Server: 8 hours (480 minutes) for Servers if the Servers are not set to Auto download and install in Configure Automatic Updates
  • Reschedule Automatic Updates scheduled installations: Depending on your organization's Best Practices
    • Clients: at least 4 hours (240 minutes)
    • Server: 8 hours (480 minutes) for Servers if the Servers are not set to Auto download and install in Configure Automatic Updates
  • Specify intranet Microsoft update service location: Enabled
    • Set both to the correct server that has your WSUS on it
    • Example: Set the intranet update service for detecting updates: http://wsus01:8530
    • Example: Set the intranet statistics server: http://wsus01
  • Turn on recommended updates via Automatic Updates: Depending on your organization's Best Practices
    • Most likely set this to Enabled.
    • Disabled and Not Configured will continue to deliver Important Updates if it is already configured to do so.
  • Turn on Software Notifications: Depending on your organization's Best Practices
    • Can usually be left to Disabled, unless your organization feels there is a need to give users detailed notification messages for optional applications or optional updates.

Return to Top

Computer Configuration > Maintenance Scheduler policy settings

These are only needed if you plan to create a "Maintenance Schedule" via GPO; they only work with Option 4 under Configure Automatic Updates, with the Install during automatic maintenance checked. This is usually done for your Server group.

  • Automatic Maintenance Activation Boundary
    • Enabled: Set the time you want
  • Automatic WakeUp Policy: See your organization's Best Practices
    • Servers: leave Not Configured, as servers usually do not go to sleep.
  • Automatic Maintenance Random Delay: See your organization's Best Practices
    • This depends on how many servers you might have hitting the WSUS server.
    • Not Configured: applies a 4-hour random delay.
    • Enabled: Automatic Maintenance will delay starting from its activation boundary by up to the specified amount of time
    • Disabled: No random delay is applied to Automatic Maintenance.

Return to Top

User Configuration > Windows Update policy settings

These settings are the same as Computer Configuration > Windows Update policy settings, and will have no effect if those are set via GPO. They can be used by creating another Security Group for a specific list of users or computers, and removing those computers from your Client or Roaming groups and putting them in here instead.

Return to Top

References

Return to Top